16 November 2009

Botnets? Not a problem...

An article in PC Pro by Asavin Wattanajantra quotes Dr Steve Marsh, who is deputy director at the Office of Cyber Security in the Cabinet Office, as saying (in respect of EU policy on protecting Europe from cyber attack, whatever you may understand by that term) that:

"the main focus of botnets would be to target and extort money from private companies, rather than bring down public sector networks [and] .... in a sense [it is] not in their interest to bring down infrastructure which is earning them money."

This isn't a million miles away from something I was saying early in 2009, when there was a great deal of speculation in the media about what would happen when and if the Conficker worm went active on April 1st. Much of that speculation centred around the possibility that the Conficker botnet would launch a major attack on the Internet infrastructure. The point I made several times in blogs at ESETand elsewhere at that time was that it wouldn't make sense for the botmasters to switch straight into such an attack, since it would make it harder in the longer term to make use of the kind of concerted attack that botnets do so well (click fraud, DDoS and so on).

Nevertheless, Dr. Marsh's statement, if quoted correctly, is, at least in the context of that article, somewhat misleading. (As Gadi Evron pointed out at some length in a typically insightful articleat Dark Reading.) Assaults on the infrastructure of the Internet are one thing. (They're by no means out of the question, by the way: my point about Conficker was that most known criminal botnets are about commercial gain, and it wouldn't be in the interests of the botmaster to compromise the effectiveness of his network. However, the same is by no means necessarily true of other groups.)

Attacks on government infrastructures are another matter. I certainly don't wish to raise the spectre of (sigh...) cyberwarfare and all that FUD (Fear, Uncertainty, Doubt) unnecessarily, but I can think of many hypothetical scenarios where a concerted attack on a national infrastructure might be made by another government or a terrorist organization, with dramatic consequences. (In the UK, it's common to see refer ences to the Critical National Infrastructure, which I believe includes not only the Corridors of Power, but more peripheral areas such as parts of the National Health Service, and sectors like banking which many people wouldn't necessarily think of in a governmental context). The "Government Secure Internet" (GSI) is indeed a pretty effective layer of protection, but it does not, I think, cover all the sectors that might sustain serious impact from such an attack, and might in turn seriously damage the wellbeing of the nation as a whole.

I spend most of my working life saying "Don't panic!" in one context or another, and right now, we aren't seeing huge botnets used for (sigh...) cyberwarfare. Nevertheless, I don't believe that the UK government or the European Community (or anyone else) should be complacent about potential risks to national security from botnet-like activity, just because most of the bots we know of right now have a commercial agenda. Anyone with the resources and incentive can build, buy or rent a botnet (should I mention the BBC?), and it's not a good idea to make too many presumptions about what motivation might drive the individual or organization behind future botnet attacks.

Comments

Botnets? Not a problem...

An article in PC Pro by Asavin Wattanajantra quotes Dr Steve Marsh, who is deputy director at the Office of Cyber Security in the Cabinet Office, as saying (in respect of EU policy on protecting Europe from cyber attack, whatever you may understand by that term) that:

"the main focus of botnets would be to target and extort money from private companies, rather than bring down public sector networks [and] .... in a sense [it is] not in their interest to bring down infrastructure which is earning them money."

This isn't a million miles away from something I was saying early in 2009, when there was a great deal of speculation in the media about what would happen when and if the Conficker worm went active on April 1st. Much of that speculation centred around the possibility that the Conficker botnet would launch a major attack on the Internet infrastructure. The point I made several times in blogs at ESETand elsewhere at that time was that it wouldn't make sense for the botmasters to switch straight into such an attack, since it would make it harder in the longer term to make use of the kind of concerted attack that botnets do so well (click fraud, DDoS and so on).

Nevertheless, Dr. Marsh's statement, if quoted correctly, is, at least in the context of that article, somewhat misleading. (As Gadi Evron pointed out at some length in a typically insightful articleat Dark Reading.) Assaults on the infrastructure of the Internet are one thing. (They're by no means out of the question, by the way: my point about Conficker was that most known criminal botnets are about commercial gain, and it wouldn't be in the interests of the botmaster to compromise the effectiveness of his network. However, the same is by no means necessarily true of other groups.)

Attacks on government infrastructures are another matter. I certainly don't wish to raise the spectre of (sigh...) cyberwarfare and all that FUD (Fear, Uncertainty, Doubt) unnecessarily, but I can think of many hypothetical scenarios where a concerted attack on a national infrastructure might be made by another government or a terrorist organization, with dramatic consequences. (In the UK, it's common to see refer ences to the Critical National Infrastructure, which I believe includes not only the Corridors of Power, but more peripheral areas such as parts of the National Health Service, and sectors like banking which many people wouldn't necessarily think of in a governmental context). The "Government Secure Internet" (GSI) is indeed a pretty effective layer of protection, but it does not, I think, cover all the sectors that might sustain serious impact from such an attack, and might in turn seriously damage the wellbeing of the nation as a whole.

I spend most of my working life saying "Don't panic!" in one context or another, and right now, we aren't seeing huge botnets used for (sigh...) cyberwarfare. Nevertheless, I don't believe that the UK government or the European Community (or anyone else) should be complacent about potential risks to national security from botnet-like activity, just because most of the bots we know of right now have a commercial agenda. Anyone with the resources and incentive can build, buy or rent a botnet (should I mention the BBC?), and it's not a good idea to make too many presumptions about what motivation might drive the individual or organization behind future botnet attacks.

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org